New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-17035: fix KRP permissions for Thanos Querier #2057
Conversation
@rexagod: This pull request references Jira Issue OCPBUGS-17035, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@rexagod: An error was encountered querying GitHub for users with public email (juzhao@redhat.com) for bug OCPBUGS-17035 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details. Full error message.
Post "http://ghproxy/graphql": dial tcp 172.30.229.2:80: connect: connection refused
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to update the assertTenancyForMetrics e2e test.
Right now it creates a test service account to verify that a user can query metrics from their namespace but it grants the "admin" role which is too permissive. I'd advise to create a role with just-enough permissions allowing to get pod metrics.
2520236
to
c2fcef4
Compare
/retest |
46fc05a
to
ddab55a
Compare
/test e2e-aws-ovn-single-node |
5f6d166
to
8676114
Compare
69201fa
to
68b51db
Compare
/jira refresh |
@jan--f: This pull request references Jira Issue OCPBUGS-17035, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
9116c65
to
efbba1d
Compare
@rexagod: This pull request references Jira Issue OCPBUGS-17035, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
fix KRP configuration for thanos-querier in order to enforce restricted access only to entities allowed to [http-verb] for pods.metrics.k8s.io Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
efbba1d
to
9e9b738
Compare
Thanks! To me this looks good. |
/retest |
@rexagod: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/label acknowledge-critical-fixes-only |
/hold cancel |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jan--f, rexagod, simonpasquier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
b0ee4d6
into
openshift:master
@rexagod: Jira Issue OCPBUGS-17035: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-17035 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build cluster-monitoring-operator-container-v4.15.0-202311171551.p0.gb0ee4d6.assembly.stream for distgit cluster-monitoring-operator. |
Fix included in accepted release 4.15.0-0.nightly-2023-11-17-183843 |
fix KRP configuration for thanos-querier in order to enforce restricted
access only to entities allowed to [http-verb] for pods.metrics.k8s.io
Signed-off-by: Pranshu Srivastava rexagod@gmail.com